44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

Analysis

max time kernel
45s
max time network
19s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
27-07-2023 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

persisted_first_party_sets.json
Size

2B
MD5

99914b932bd37a50b983c5e7c90ae93b
SHA1

bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256

44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512

27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\json_auto_file\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\json_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\json_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\json_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\.json\ = "json_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\json_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\.json	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\json_auto_file\shell\open	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2836	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	firefox.exe
Token: SeDebugPrivilege	2116	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2836	2656	cmd.exe	29
PID 2656 wrote to memory of 2836	2656	cmd.exe	29
PID 2656 wrote to memory of 2836	2656	cmd.exe	29
PID 2836 wrote to memory of 2832	2836	rundll32.exe	30
PID 2836 wrote to memory of 2832	2836	rundll32.exe	30
PID 2836 wrote to memory of 2832	2836	rundll32.exe	30
PID 2832 wrote to memory of 2116	2832	firefox.exe	31
PID 2832 wrote to memory of 2116	2832	firefox.exe	31
PID 2832 wrote to memory of 2116	2832	firefox.exe	31
PID 2832 wrote to memory of 2116	2832	firefox.exe	31
PID 2832 wrote to memory of 2116	2832	firefox.exe	31
PID 2832 wrote to memory of 2116	2832	firefox.exe	31
PID 2832 wrote to memory of 2116	2832	firefox.exe	31
PID 2832 wrote to memory of 2116	2832	firefox.exe	31
PID 2832 wrote to memory of 2116	2832	firefox.exe	31
PID 2832 wrote to memory of 2116	2832	firefox.exe	31
PID 2832 wrote to memory of 2116	2832	firefox.exe	31
PID 2832 wrote to memory of 2116	2832	firefox.exe	31
PID 2116 wrote to memory of 2724	2116	firefox.exe	32
PID 2116 wrote to memory of 2724	2116	firefox.exe	32
PID 2116 wrote to memory of 2724	2116	firefox.exe	32
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34
PID 2116 wrote to memory of 1272	2116	firefox.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\persisted_first_party_sets.json
1⤵
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\persisted_first_party_sets.json
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\persisted_first_party_sets.json"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\persisted_first_party_sets.json
      4⤵
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2116
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2116.0.1852697290\731724147" -parentBuildID 20221007134813 -prefsHandle 1228 -prefMapHandle 1220 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {90a4e5e0-1761-4238-9f44-166ce6de5ee3} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 1292 11cd7558 gpu
        5⤵
        
        PID:2724
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2116.1.459550633\607591279" -parentBuildID 20221007134813 -prefsHandle 1496 -prefMapHandle 1492 -prefsLen 21799 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {be6d4429-24e9-41ef-a782-981f8e182af6} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 1508 d70158 socket
        5⤵
        
        PID:1272
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2116.2.457066826\1403500732" -childID 1 -isForBrowser -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 21837 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {18b33696-6859-4688-a723-b44e1e73391a} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 2412 19ee8358 tab
        5⤵
        
        PID:1208
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2116.3.312744599\370728087" -childID 2 -isForBrowser -prefsHandle 2848 -prefMapHandle 2844 -prefsLen 26482 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dce857cc-f106-4c6e-a5db-8bacccead338} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 2860 d61058 tab
        5⤵
        
        PID:1760
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2116.4.1163978105\628509483" -childID 3 -isForBrowser -prefsHandle 3632 -prefMapHandle 3628 -prefsLen 26716 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {35834ca3-2fcc-436d-b21a-a84502f53a2c} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 3644 1bc8f058 tab
        5⤵
        
        PID:2924
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2116.6.101329945\1380532151" -childID 5 -isForBrowser -prefsHandle 3928 -prefMapHandle 3932 -prefsLen 26716 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f51576a1-3529-41db-9674-b36226ac3fa8} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 3920 1e968858 tab
        5⤵
        
        PID:1196
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2116.5.1601988782\1098836987" -childID 4 -isForBrowser -prefsHandle 3764 -prefMapHandle 3768 -prefsLen 26716 -prefMapSize 232675 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {376e9758-d28d-45f8-80c2-e49d2bff1619} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 3756 1e966758 tab
        5⤵
        
        PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zf65wlcn.default-release\activity-stream.discovery_stream.json.tmp

Filesize
150KB

MD5
653b3152aed7f83ecaaf5b7dc7f68ba8

SHA1
d4d3291729baa0da043aa8b63db4131d3a1a9536

SHA256
1f95ee0e116cc0f546f09dc43aa41da5ca58c8488b27fc48b4416f8822c0fbfd

SHA512
f6a7cbc5c046ff10f880a0176d648b29f2453d49e49f66ba00e46522fe9395caac24ec8108bd389d083f469fcd6b887cb1dc1e38a6227c0f75e2c953814e6d0b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zf65wlcn.default-release\prefs-1.js

Filesize
7KB

MD5
5260e8a239ad6a2c57eb2bca56f02dc8

SHA1
15619b2e13880ff28aaab4224784e3be3c6fe145

SHA256
ad909fa1b2326a85e5e9730ba6daad89b3b0b3f199d7219610341edb5d0ef9fe

SHA512
220fae5a9d7fb471fd61ccafce8ae128bcc0d05c01814cede432b85ca2c7bb0ae3233172595716b883636370d0feead6ba775a3fb7c0a6b7f83fcf130180cafc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zf65wlcn.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
6012f6cb47c482c2ecab4eb41deef01f

SHA1
7fb8f0382d2c0f98ba13cfe5833c0580d0900ed9

SHA256
528cf0a4738dd0afe52d1d94af4299a5d04ccf09c5485fd8580b49bdcd713386

SHA512
f918831e85d07d3d446a4be59357206b85adb948fbf5ece4e73cf97c70061175dd657886d9d71e2e79473e8416c7444559e50e0112b98694ee04d136d6337d9b

Download Submit